Skip Menu |
 

Subject: no mechanism for timing out DNS lookups
It would be nice to be able to specify a timeout for doing DNS lookups
of, for instance, KDC IP addresses. Right now, the library just calls
getaddrinfo and takes however long getaddrinfo takes. When Kerberos
calls are done by a PAM module, this can result in login timeouts rather
than failover to local authentication.

Solving this problem will probably require using an asynchronous DNS
mechanism such as described in RT#1453.
From: Ken Raeburn <raeburn@MIT.EDU>
Subject: Re: [krbdev.mit.edu #4114] no mechanism for timing out DNS lookups
Date: Sun, 6 Aug 2006 18:55:43 -0400
To: MIT Kerberos RT <rt@krbdev.mit.edu>
RT-Send-Cc:
Download (untitled) / with headers
text/plain 1.2KiB
On Aug 6, 2006, at 18:08, Russ Allbery <rra@stanford.edu> via RT wrote:
Show quoted text
> It would be nice to be able to specify a timeout for doing DNS lookups
> of, for instance, KDC IP addresses. Right now, the library just calls
> getaddrinfo and takes however long getaddrinfo takes. When Kerberos
> calls are done by a PAM module, this can result in login timeouts
> rather
> than failover to local authentication.
>
> Solving this problem will probably require using an asynchronous DNS
> mechanism such as described in RT#1453.

Well, if you get some free time on your hands... :-)

Unfortunately, the current service-location plugin API doesn't give
us the flexibility to do DNS processing and KDC exchanges in parallel
like I discussed in that ticket, but we could still do the DNS
queries in parallel and control the timeout. Well, that's not
entirely true, but without enhancing the interface between the send-
to-kdc code and the service-location code, it'll be messy. We *can*
enhance that interface... but we'll still have to support the current
one.

Doing DNS queries directly would bypass any /etc/hosts listing for
the machines in question, probably not desirable. And I don't know
if anyone really uses other host lookup protocols (nis?) these days...

Ken